Archive - November 2000
A Certified Lack of Confidence: The Threat of Rogue Certificate Authorities
For more than a decade, computer generated digital certificates have made it possible to authenticate the identity of computer systems, data, and web sites by connecting a public key with an identity such as an owner’s name. The process relies on trust. “Secure” websites utilize such a certificate to validate their identity. This digital certificate is usually procured from a company that will verify the identity of the company administrating the site. The digital certificate issued to them will be validated by a trusted root certificate authority or by a server that is trusted by the trusted root. This chain of certificates is called a certificate hierarchy. A small group of trusted certificate authorities is installed on computers within the operating system. These authorities include such names as Equifax, VeriSign and Thawte. So what happens when the system breaks down?
Measuring Success with Security Metrics
Try to imagine a world without metrics. The temperature would only be “hot” instead of 95° or a project would be “in progress” instead of 75% complete. Metrics provide an effective way to keep track of vital information. They are particularly useful for identifying trends and measuring the progress of activities. When used effectively, security metrics provide a uniform way to make decisions and to measure progress in information security.
Preventing the data breach: A dozen steps to protect against data loss
Losing data can be tremendously devastating to a company. It could compromise security, information, and jobs. Today, we will look at twelve actions that a company can take to mitigate the risks of a data breach. These twelve steps, performing a risk analysis, asset identification and classification, attention to detail, encryption, social networking, compliance, management of personnel, least privilege, solution diversity, tracking mobile devices, data destruction and testing are essential to helping a company’s security program.
Guidelines for Username and Password Risk Management
Eric Vanderburg
Usernames and passwords still represent a great information security risk to organizations. This basic but crucial element can nullify the effectiveness of some of the best systems. That is why it is important to keep usernames and passwords secure if you hope to have assurance in your information system. To help manage information security risks, this article outlines several common bad password practices and the risks they present along with steps to take to reduce this risk and protect company information. Some of the most prevalent mistakes users make regarding passwords include:
- Sharing passwords
- Using the same password for multiple accounts
- Creating insecure passwords
- Retaining passwords long-term
Cisco Access Controls and Security
Many organizations use Cisco devices to interconnect, protect, filter, and manage networks so it is important to understand ways to improve the security of these devices as part of your information security program. Within this article three basic access controls you can implement on any Cisco device will be discussed. These access controls are intended for those who are new to Cisco, so if you are a Cisco veteran, please peruse some of our more advanced articles on Cisco and information security.
